How do Broken Authentication and Session Management

Hi,

Finaly our project has been lounch in nic. Before nic louch our software has beenaudited by them. So they have required pre cookies and post cookies. We have tried itbut problem is if we tried to change cookies name then it is affected our session valueso we are not getting user name and information to display who name and login informationper page when, he is opening for data entry or view..

So how solved following solution....

The following solution can be implemented for fixing the session fixation flaw & Improper Cache control:

I. Follow a secure session management lifecycle which includes proper initialization, maintenance, authentication and termination of the session token.

II. Application should generate different tokens for pre authentication and post authentication. The first time a user visits this web site, he/she is given a session token by the web site. Now when the user attempts to login, the same session token is used while processing this request. After the login process, if the web site doesn't allocate a fresh session token to the user, the user is prone to session fixation attack. So it is mandatory for the web site to provide a unique, random and fresh session token after the user has authenticated to the web site.

III. Do not allow the login process to start from an unencrypted page. Always start the login process from a second, encrypted page with a fresh or new session token to prevent credential or session stealing, phishing attacks and session fixation attacks.

IV. Consider regenerating a new session upon successful authentication or privilege level change.

V. Only use the inbuilt session management mechanism. Do not write or use secondary session handlers under any circumstances.

VI. Do not accept new, preset or invalid session identifiers from the URL or in the request. This is called a session fixation attack.

VII. The session tokens given to the user before the authentication process should be different from session tokens that are given to the user after the user has authenticated.

As per my understanding this is not a place to post this in Forum section, I may suggest you to post the same in Article section that will reach no of people those who are looking for the same, any how nice to hear that you are split your authentication into 2 part like "preAuthentication / PostAuthentication".

If possible provide sample piece of code, that will reach more people.--------------------------------------------------------------------------------Give respect to your work, Instead of trying to impress your boss.

We are going auditing on the our software. So When we login fist time, it is create our owncookie and after login our cookies is not change. So it is chance to hacking the our cookiessite. means he can paste our cookie which we have storing user name and password.

So our auditor tell us to change a cookies value after login.But problem is that if we change cookies values then we can't access session values. Because ofour another page are checking session values for authotentication for user. No We want if ourcookies values ('KONKAN' is name of cookies/session) change it should not affected on oursession values..

Secure session state:The session-state feature is enabled by default. While the default configuration settings are set to the most secure values, you should disable session state if it is not required for your application, When storing sensitive information in a configuration file for an application, you should encrypt the sensitive values using Protected Configuration. Information that is especially sensitive includes the encryption keys stored in the machineKey configuration element and data source connection strings stored in the connectionStrings configuration elementfor better details switch to below linkhttps://msdn.microsoft.com/en-us/library/ms178201.aspxThanksKoolprasd2003Editor, DotNetSpider MVMMicrosoft MVP 2014 [ASP.NET/IIS]